One, SQL injection overview
SQL is a "structured query language" for manipulating database data, and SQL is used when web application data and data in the back-end database interact. SQL injection is the modification and splicing of the original URL, form field or data packet input parameters of the web page into SQL statements, which are passed to the web server, and then passed to the database server to execute database commands.
SQL injection means that the web application does not judge the legality of the user input data or does not filter strictly, and then the attacker can add additional SQL statements to the end of the pre-defined query statement in the web application, so that the The administrator realizes illegal operations without the knowledge of the database server to deceive the database server to perform unauthorized arbitrary queries, and further obtain corresponding data information.
Second, the principle of SQL injection
SQL injection attacks modify SQL statements by operating input to execute code attacks on the Web server. That is to say, the process of inserting SQL commands into the query string of post/getweb forms, entering domain names or page requests, and finally causing the web server to execute malicious commands.
Three, common SQL injection statements
1. Create a database:
"CREATE DATABASE database-name".
2. Delete the database:
"drop database dbname"
3. Create a new table:
"create table tabname(col1 type1 [not null] [primary key], col2 type2 [not null],)".
4. Delete the new table:
"drop table tabname"
5. Add a column:
"Alter table tabname add column col type".
(Note: The column cannot be deleted after it is added, and the data type cannot be changed after the column is added. The only thing that can be changed is to increase the length of the varchar type.)
6. Create an index:
"create [unique] index idxname on tabname(col...)" .
7. Delete the index:
"drop index idxname"
(Note: The index cannot be changed. If you want to change it, you must delete it and rebuild it.)
8. Add the primary key:
"Alter table tabname add primary key (col)".
9. Delete the primary key:
"Alter table tabname drop primary key(col)"
10. Create a view:
"create view viewname as select statement".
11. Delete the view:
"Drop view viewname"
12. Use the original table to create a new table:
"creat table tab_new like tab_old".
13. Update:
update table1 set field1=value1 where range
14. Search:
select * from table1 where field1 like'%value1%' (all strings containing the pattern'value1')
15. Sort:
select * from table1 order by field1,field2 [desc]
16. Sum:
select sum(field1) as sumvalue from table1
17. Average:
select avg(field1) as avgvalue from table1
18. Maximum:
select max(field1) as maxvalue from table1
19. Minimum:
select min(field1) as minvalue from table1[separator]
e table tab_new like tab_old".
Four, SQL injection method
According to the input parameters, SQL injection methods can be roughly divided into two categories: numeric injection and character injection.
1. Digital injection
When the input parameters are integers, such as ID, age, page number, etc., if there is an injection vulnerability, it can be considered as a digital injection.
This type of numerical injection is most often found in weakly typed languages such as ASP and PHP, and weakly typed languages will automatically deduce the variable type. For strongly typed languages such as Java and C#, if you try to convert a string to int type, an exception will be thrown and execution cannot continue. Therefore, strongly typed languages rarely have digital injection vulnerabilities.
Determine the SQL injection points of numeric vulnerabilities:
(1) First enter a single quotation mark in the input box.
This SQL statement will become:
SELECT * FROM table WHERE id=1', which
does not conform to the grammar, the statement will definitely go wrong , Causing the script program to be unable to obtain data from the database, causing the original page to appear abnormal.
(2) Enter and 1 = 1 in the input box. The
SQL statement becomes:
SELECT * FROM table WHERE id=1 and 1 = 1 The
statement is correct, the execution is normal, and the returned data does not differ from the original request.
(3) Enter and 1 = 2 in the database. The
SQL statement becomes:
SELECT * FROM table WHERE id=1 and 1 = 2 The
syntax is correct, the statement is executed normally, but the logic is wrong, because 1 = 2 is false, so the return data and The original request is different.
If all the above three steps are met, the program may have a digital SQL injection vulnerability.
2. Character injection
When the input parameter is a character string, it is called a character type. The biggest difference between digital injection and character injection is that digital injection does not need to be closed with single quotes, while string injection generally needs to be closed with single quotes. The key to character injection is how to close SQL statements and comment redundant code.
The test injection statement for character injection is:
'and''=' This is normal
display'and''='1 This is abnormal display
If these two conditions appear at the same time, it means there is injection.
Determine the SQL injection points for character vulnerabilities :
(1) First enter single quotes admin' to test.
Such SQL statements will become:
SELECT * FROM table WHERE username ='admin'.
The page is abnormal.
(2) Input: admin' and 1 = 1--
Note: there is a single quote 'after admin, which is used to close the string, and there is a comment character at the end - (there is a space after the two bars!!! ).
The SQL statement becomes:
SELECT * FROM table WHERE username ='admin' and 1 = 1--The
page is displayed correctly.
(3) Input: admin' and 1 = 2--The
SQL statement becomes:
SELECT * FROM table WHERE username ='admin' and 1 = 2--
Page error.
If the above three steps are met, the program may have character SQL injection.
Note: The following types of injection are different forms of numeric and character injection.
POST injection: The injected field is in the POST data.
Cookie injection: The injected field is in the cookie data.
Delay injection: use database delay feature injection.
Search injection: The injection place is the search place.
Base64 injection: The injected string needs to be base64 encrypted.
Five, SQL injection attacks
1. Boolean-based blinds
Because the web page return value is either True or False, Boolean blind injection is a way to get database information based on the page return value after injection.
2. Time-based blinds
Time-based blind injection is to determine whether there is an SQL injection point on the page based on the corresponding time difference of the web page.
3. Joint query injection
Union query injection uses union to merge the result sets of two or more SELECT statements, so two or more selects must have the same column and the data type of each column is also the same. Joint query injection can add order by 9 injection based on random numbers at the end of the link, and judge the number of fields in the site according to the returned results of the page. The prerequisite for the use of joint query for injection is that the page to be injected must have a display position.
4. Injection based on error information
Error message-based injection is a formulaic injection method, which is used when the page does not display a bit, but the echo mysql_error(); function outputs an error message.
Six, SQL injection process
1. SQL injection point detection.
2. Collect background database information.
3. Guess the username and password.
4. Find the web background management entrance.
5. Invasion and destruction.